@cyclonedx/cdxgen 8.4.8 → 8.4.10

package/index.js

@@ -1167,14 +1167,23 @@ const createJavaBom = async (path, options) => {
         ["true", "1"].includes(multiProjectMode) ||
         (gradleFiles.length > 1 && !["false", "0"].includes(multiProjectMode))
       ) {
-        if (DEBUG_MODE) {
-          console.log("Executing", gradleCmd, "projects in", path);
+        let gradleProjectsArgs = ["projects", "-q", "--console", "plain"];
+        if (process.env.GRADLE_ARGS) {
+          const addArgs = process.env.GRADLE_ARGS.split(" ");
+          gradleProjectsArgs = gradleProjectsArgs.concat(addArgs);
         }
-        const result = spawnSync(
+        console.log(
+          "Executing",
           gradleCmd,
-          ["projects", "-q", "--console", "plain"],
-          { cwd: path, encoding: "utf-8", timeout: TIMEOUT_MS }
+          gradleProjectsArgs.join(" "),
+          "projects in",
+          path
         );
+        const result = spawnSync(gradleCmd, gradleProjectsArgs, {
+          cwd: path,
+          encoding: "utf-8",
+          timeout: TIMEOUT_MS
+        });
         if (result.status !== 0 || result.error) {
           if (result.stderr) {
             console.error(result.stdout, result.stderr);
@@ -1391,7 +1400,9 @@ const createJavaBom = async (path, options) => {
             const cmdOutput = Buffer.from(stdout).toString();
             const parsedList = utils.parseGradleDep(cmdOutput);
             const dlist = parsedList.pkgList;
-            parentComponent = dlist.splice(0, 1)[0];
+            if (!parentComponent) {
+              parentComponent = dlist.splice(0, 1)[0];
+            }
             if (parsedList.dependenciesList && parsedList.dependenciesList) {
               dependencies = mergeDependencies(
                 dependencies,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "8.4.8",
+  "version": "8.4.10",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",

package/utils.js

@@ -1190,6 +1190,18 @@ const parseGradleDep = function (
   rootProjectVersion = "latest"
 ) {
   if (typeof rawOutput === "string") {
+    // Bug: 249. Get any sub-projects refered here
+    const retMap = parseGradleProjects(rawOutput);
+    // Issue #289. Work hard to find the root project name
+    if (
+      !rootProjectName ||
+      (rootProjectName === "root" &&
+        retMap &&
+        retMap.rootProject &&
+        retMap.rootProject !== "root")
+    ) {
+      rootProjectName = retMap.rootProject;
+    }
     let match = "";
     // To render dependency tree we need a root project
     const rootProject = {
@@ -1202,10 +1214,10 @@ const parseGradleDep = function (
     const deps = [rootProject];
     const dependenciesList = [];
     const keys_cache = {};
+    const deps_keys_cache = {};
     let last_level = 0;
     let last_purl = `pkg:maven/${rootProjectName}@${rootProjectVersion}?type=jar`;
-    // Bug: 249. Get any sub-projects refered here
-    const retMap = parseGradleProjects(rawOutput);
+    const first_purl = last_purl;
     const level_trees = {};
     level_trees[last_purl] = [];
     if (retMap && retMap.projects) {
@@ -1229,30 +1241,45 @@ const parseGradleDep = function (
     let stack = [last_purl];
     const depRegex =
       /^.*?--- +(?<group>[^\s:]+):(?<name>[^\s:]+)(?::(?:{strictly [[]?)?(?<versionspecified>[^,\s:}]+))?(?:})?(?:[^->]* +-> +(?<versionoverride>[^\s:]+))?/gm;
-    while ((match = depRegex.exec(rawOutput))) {
-      const [line, group, name, versionspecified, versionoverride] = match;
-      const version = versionoverride || versionspecified;
-      const level = line.split(group)[0].length / 5;
-      if (version !== undefined) {
-        let purlString = new PackageURL(
-          "maven",
-          group,
-          name,
-          version,
-          { type: "jar" },
-          null
-        ).toString();
-        purlString = decodeURIComponent(purlString);
-        // Filter duplicates
-        if (!keys_cache[purlString]) {
-          keys_cache[purlString] = true;
+    for (const rline of rawOutput.split("\n")) {
+      if (last_level !== 1) {
+        if (
+          !rline ||
+          rline.trim() === "" ||
+          rline.startsWith("+--- ") ||
+          rline.startsWith("\\--- ")
+        ) {
+          last_level = 1;
+          last_purl = first_purl;
+          stack = [last_purl];
+        }
+      }
+      while ((match = depRegex.exec(rline))) {
+        const [line, group, name, versionspecified, versionoverride] = match;
+        const version = versionoverride || versionspecified;
+        const level = line.split(group)[0].length / 5;
+        if (version !== undefined) {
+          let purlString = new PackageURL(
+            "maven",
+            group,
+            name,
+            version,
+            { type: "jar" },
+            null
+          ).toString();
+          purlString = decodeURIComponent(purlString);
+          keys_cache[purlString + "_" + last_purl] = true;
           if (group !== "project") {
-            deps.push({
-              group,
-              name: name,
-              version: version,
-              qualifiers: { type: "jar" }
-            });
+            // Filter duplicates
+            if (!deps_keys_cache[purlString]) {
+              deps_keys_cache[purlString] = true;
+              deps.push({
+                group,
+                name: name,
+                version: version,
+                qualifiers: { type: "jar" }
+              });
+            }
             if (!level_trees[purlString]) {
               level_trees[purlString] = [];
             }
@@ -1269,7 +1296,8 @@ const parseGradleDep = function (
               for (let i = level; i <= last_level; i++) {
                 stack.pop();
               }
-              const last_stack = stack[stack.length - 1];
+              const last_stack =
+                stack.length > 0 ? stack[stack.length - 1] : first_purl;
               const cnodes = level_trees[last_stack] || [];
               cnodes.push(purlString);
               level_trees[last_stack] = cnodes;

package/utils.test.js

@@ -205,12 +205,32 @@ test("parse gradle dependencies", () => {
     fs.readFileSync("./test/data/gradle-rich5.dep", { encoding: "utf-8" })
   );
   expect(parsedList.pkgList.length).toEqual(68);
-  expect(parsedList.dependenciesList.length).toEqual(69);
+  expect(parsedList.dependenciesList.length).toEqual(68);
   parsedList = utils.parseGradleDep(
     fs.readFileSync("./test/data/gradle-out-249.dep", { encoding: "utf-8" })
   );
   expect(parsedList.pkgList.length).toEqual(21);
   expect(parsedList.dependenciesList.length).toEqual(21);
+  parsedList = utils.parseGradleDep(
+    fs.readFileSync("./test/data/gradle-service.out", { encoding: "utf-8" })
+  );
+  expect(parsedList.pkgList.length).toEqual(35);
+  expect(parsedList.dependenciesList.length).toEqual(35);
+  parsedList = utils.parseGradleDep(
+    fs.readFileSync("./test/data/gradle-s.out", { encoding: "utf-8" })
+  );
+  expect(parsedList.pkgList.length).toEqual(28);
+  expect(parsedList.dependenciesList.length).toEqual(28);
+  parsedList = utils.parseGradleDep(
+    fs.readFileSync("./test/data/gradle-core.out", { encoding: "utf-8" })
+  );
+  expect(parsedList.pkgList.length).toEqual(19);
+  expect(parsedList.dependenciesList.length).toEqual(19);
+  parsedList = utils.parseGradleDep(
+    fs.readFileSync("./test/data/gradle-single.out", { encoding: "utf-8" })
+  );
+  expect(parsedList.pkgList.length).toEqual(153);
+  expect(parsedList.dependenciesList.length).toEqual(153);
 });
 
 test("parse gradle projects", () => {
@@ -933,6 +953,7 @@ test("parse .net cs proj", async () => {
 });
 
 test("get nget metadata", async () => {
+  jest.setTimeout(240000);
   const dep_list = await utils.getNugetMetadata([
     {
       group: "",